The #1 vulnerability remains ‘misconfiguration’ (38%), such as incorrect permissions for cloud services, default accounts and active default passwords. Despite the increase in its importance for cyber resilience, a good foundation of cyber hygiene is still not practiced. The cyber poverty line is not reached. ‘Input validation’ rose from third to second place, followed by problems with ‘registration and authentication’.
Compared to last year’s report, we see a downward trend in ‘high’ and ‘critical’ vulnerabilities. All efforts to tackle these problems are therefore clearly having a positive effect. On the other hand, unfortunately, 25% of all vulnerabilities are still critical or high.
After retesting, the number of unresolved rose by almost 20%. This increase can be attributed to the challenges the respondents face:
– Lack of skills to solve these problems.
– The problem is inherent to the application/system.
– Developers focus on fixing critical and high vulnerabilities rather than medium or low ones.
Business logic flaws, mostly found in web and mobile applications, are critical and difficult to detect vulnerabilities. They abuse the intended business logic to achieve their malicious goals. Common attack vectors targeting business logic include:
– Misuse of authentication logic
– Misuse of authorization logic
– Manipulating user input
– Using unexpected user input
– Wandering in the workflow
– Breaking through the intended logic
You can protect yourself against these flaws by actively having (penetration) tests performed by experienced experts, taking these flaws into account when developing applications and using application threat modelling.
